If you had the opportunity to stand in front of a group of people and you and only you could talk, what would you say?
Does the group of people matter?
Does their age matter?
Does their line of work, their job roles or skills matter?
Does their political and societal beliefs matter?
Would it matter how much time you had to speak?
These are just some of the things I think about when I am talking to a group of people about Security Awareness.
Contextual Communication Matters
Here is the scene:
You’re the CISO. You pitched the CEO on talking to the company about Security Awareness during the next company briefing in which all employees attend. (In this imaginary scene, covid doesn’t exist)
You’re able to secure 5 minutes to talk to the entire company about anything security related. The question is, what do you say and how do you say it?
The reason I led with those questions up at the top is because when I think about talking to a group of people I try to think how can I make what I say contextual to the audience. The reason is because when you speak from a place of common understanding you’re more likely to be heard. It also invokes empathy amongst the audience because they feel like you “get them.”
I posed this same question to the #infosec community on Twitter a while back and I got some really great responses.
Michael Stamas says to “Make it about the business, not technology.” Great point indeed. Related back to how security and the actions, or inaction, of employees can affect the business. Not only financially but brand and reputation and trust as well.
Kelly Shortridge says to keep realistic threat models in mind. Sure it can be funny to talk about that one time this crazy thing happened…but scaring people into unnecessary action is just as bad and could even be worse than no action.
There were many other really great responses, I encourage you to go read the twitter thread. Knowledge is power.
If you asked me what I would say? Well, it depends. :O)
I would work really hard to show empathy and understanding that sometimes “security” does make life more difficult for everyone else. This is not intended and this is not the goal. Security practitioners recognize that some security mechanisms do just create more clicks, more work for the end user. Such as MFA. Any way you slice it, it’s less convenient than just logging in with a password.
Security practitioners also work really hard to try and consider risks in the context of a bigger picture because ultimately a security mechanism that creates more issues is no better than the mechanism itself.